The CyberWire Daily Briefing 09.03.15

Summary

By The CyberWire Staff

GhostSec hacktivists indicate they've begun a new phase in their anti-ISIS campaign. ISIS forerunner and declining rival al Qaeda looks for messaging to regain terrorist mindshare.

A new version of the Carbanak banking Trojan hits North America and Europe.

RedHat researchers find that some implementations of the TLS protocol can leak RSA keys.

Rapid7 finds vulnerabilities rife in baby monitors, and sees this as a cautionary tale for IoT security.

Malwarebytes describes how the adware installer Myki discovered gains access to Mac users' keychains.

Sophos provides details on the workings of the Word Intruder malware kit, and inter alia insight into criminal market terms-of-service (once Word Intruder became popular, its purveyors stamped it "For targeted attacks only").

Ransomware remains the cybercriminals' darling. And please note — that Simplocker infestation you suffered? It's not really from NSA.

Another apparently motiveless skid hits British police with denial-of-service.

Fortinet patches FortiClient. The Internet Services Consortium patches BIND.

Cyber security firms seem to have a long run ahead of them as attractive investments. Unicorn watchers marvel at Tanium's $3.5 billion valuation (partly driven by US Federal business prospects). Virgil Security and Cyph hatch from MACH 37 incubation and feed on venture capital. Gartner pushes the conventional wisdom of the Internet-of-things' being the next big thing, and Siemens seems to agree (and has the smart kitchen to back it up).

Regulation in the UK and US are said to impose significant cyber costs on businesses.

Sino-US relations are marked by debates over sanctions and cyber war.

Notes.

Today's issue includes events affecting Australia, China, Czech Republic, India, Indonesia, Iraq, Jordan, Lithuania, Malaysia, Mali, Russia, Singapore, Syria, Thailand, United Kingdom, United States and Yemen

Selected Reading

Cyber Trends

Why Internet of Things will change cybersecurity forever: Gartner (First Post) Over 20 percent of enterprises will have digital security services devoted to protecting business initiatives using devices and services in the Internet of Things (IoT) by year end 2017, according to Gartner, Inc

Deception may be next big IT security tool, or may be hype (TechTarget) A new report claims that deception may become a big factor in the future of IT security tools, but one expert warns that the efficacy of such tactics can diminish with popularity

What is the True Cost of a Data Breach? It May Not Be that Easy (Digital Guardian) As data breaches big and small continue to flood headlines, measuring the cost of these incidents remains a challenge

Is poor software development the biggest cyber threat? (CSO) The disconnect between software developers and IT security teams has lead to widespread application vulnerabilities

Australian Cyber Security Centre releases first ever public threat report (Clayton Utz) Fewer cyber-attacks on Government systems have been accompanied by a rise on attacks on the private sector

ESET Report: Huge gap in cyber security knowledge leaves Asia vulnerable (ChannelWorld) ESET has released the ESET Asia Cyber Savviness Report 2015 which shows that 93 percent of online users in Asia worry about cyber security

Legislation, Policy and Regulation

Should the US hit China with sanctions over cyberespionage? (Naked Security) China and the United States usually treat each other the way two heavyweight boxers do — circling each other, jabbing occasionally, but never throwing a big punch that could leave them exposed

A new global war front taking shape in cyberspace (CNBC) Looking for ways to thwart hackers, the federal government has budgeted $14B toward cybersecurity for fiscal 2016

Should Government Use 'Dark Web' Data to Warn Industry About Planned Attacks? (Nextgov) When attribution in cyberspace is debated and discussed, most of the focus has been on whether the U.S. government should take an offensive strike against cyberattackers

What Congress Can Learn from the Military About Cybersecurity (Defense One) As it stands, the Cybersecurity Information Sharing Act won't much improve information-sharing. Here's how to change that

OMB's Proposed Guidance Addresses Cyber Risk for Government Information (Legaltech News) New policies will impact government agencies and their contractors

Energy regulators respond to increasing cyber threats to the grid (Lexology) As anyone who even casually watches the nightly news can tell you, breaches of customer and corporate data can cause serious financial, legal, and reputational harm to a company

DISA's new cyber HQ starting to branch out (Defense Systems) The Defense Department's new, centralized office for defending DOD networks, which gained initial operating capability in January, is making progress on taking some of the defensive burden off of the U.S. Cyber Command, according to the vice director of the Defense Information Systems Agency

Who Commands In Cyberspace As New HQ Expands? (Breaking Defense) "Unity of command" is a classic principle of war

Products, Services, and Solutions

Cyber attack training center to open near Prague (Prague Post) Cyber-security firm CyberGym seek to train companies in defense

AdaptiveMobile Saves Mobile Operators More Than USD$40 Million Per Year (BusinessWire) Grey Route Controls service protects mobile operators' share of USD $70 billion A2P SMS market

Netflix Sleepy Puppy Awakens XSS Vulnerabilities in Secondary Applications (Threatpost) Most automated scanning and security tools that ferret out cross-site scripting vulnerabilities don't do much analysis beyond the target application. Netflix this week, however, released to open source a tool developed in-house that persists beyond the target app and can flag potential XSS trouble in secondary applications

Webroot Releases Security Toolkit for IoT Devices (eWeek) The toolkit is designed to help protect this next generation of critical systems against external threats and internal vulnerabilities

Smart Verify (TeleSign) A single API that simplifies end-user verification and two-factor authentication (2FA) for online and mobile app-based accounts to help increase completion rates and better manage costs, all while minimizing the development effort needed to get started

HP beefs up enterprise security suite with tools to root out malware, app vulnerabilites (PCWorld) The Fortify app testing service has gained machine learning analysis capabilities

SolarWinds Enables Resource-Constrained Security Teams to Easily Leverage Threat Intelligence (MarketWatch) SolarWinds® Log & Event Manager now integrates log collection with threat intelligence feeds to provide insight into known and proven threats for faster detection

Tanium review: Endpoint security at the speed of now (InfoWorld) Tanium Endpoint Platform draws on fast peer-to-peer communications to answer queries of managed clients within seconds

Kafka announces new features, improves use at LinkedIn, Yahoo, Netflix and more (FierceBigData) LinkedIn engineer Todd Palino called Kafka its "circulatory system for data," and now the company is working to improve the flow of its lifeblood

Die smarte Küche von Siemens ist komplett (Finanznachrichten) Mit connectivityfähigen Geräten bei Kühlen, Kaffee und Wäschepflege bietet die Marke jetzt ein vernetztes Vollsortiment

Resilient Systems' Incident Response Platform to Strengthen EY's Managed Security Operations Center (BusinessWire) Resilient's Incident Response Platform will enable EY clients to respond more quickly and effectively to cyberattacks

Check Point Changes the Malware Game With New Threat Prevention Solution (CNN Money) Check Point SandBlast™ ups the ante in threat defense with evasion-resistant sandboxing and threat extraction

Compliance Software Company Intelleges and Cyber Security Firm Advanced Threat Analysis form Strategic Alliance (BusinessWire) Intelleges, a software company, and cyber security firm Advanced Threat Analysis (ATA) signed a strategic alliance today

Cutting-Edge MSSPs Supercharge their Services with Bit9 + Carbon Black, the Market Leader in Next-Gen Endpoint Security (Nasdaq) More than 25 top MSSPs bring market's most advanced endpoint security solution to 250+ organizations; other MSSPs are 'using slingshots in the fight against advanced threats'

ThetaRay Launches Credit Risk Detection Model for Online Lending Industry (PRNewswire) Increases loan acceptance rates while maintaining acceptable risk levels

Comparing the best SIEM systems on the market (TechTarget) Expert Karen Scarfone examines the best SIEM products on the market to help you determine which one is right for your organization

Technologies, Techniques, and Standards

11 Steps for Building APT Resilience (InfoRiskToday) Experts outline short, long-term plans to respond to new threats

The "Executive" IT Security Problem — Lessons Learned from Hillary Clinton (SecurityWeek) Executives have always been privileged users

Identity Theft 101 — Stop It, Catch It, Kill It: Part 2 (Team Cymru) In our previous post, we discussed what identity theft is, and how to prevent it. But with the best will in the world, criminals are crafty, and mistakes happen

Negligence And Risk: The Imperfect Balance Of Cyber Security (Forbes) Terry Kurzynski is the founder and Senior Partner of HALOCK Security Labs… Terry has pioneered a service philosophy that he calls Purpose Driven Security. This philosophy can best be summarized as measured and preemptive. Together the dual emphasis allows organizations to utilize a limited security budget to maximize protection of their critical information assets

Hedgeweek cybersecurity interview with Options CTO, John Bryant (Hedgeweek) Options Chief Technology Officer John Bryant (pictured) explains how the company is constantly working to stay ahead of the risks posed to the hedge fund industry by cybersecurity issues

Marketplace

Cybersecurity, One of the Fastest Growing Technology Segments (Market Realist) As the number of cyberattacks on companies rises, companies that conduct their businesses digitally will increase their spending on digital security

How Much Should Firms Pay to Protect Themselves From Hackers? (American Lawyer) The Am Law Daily spoke with a few cybersecurity consultants to find out the ideal amount that large law firms should spend to adequately defend their data from hackers, as well as determine whom they should hire for such a task

Snoopers' Charter will cause extreme rise in business costs (Help Net Security) The UK Government's Investigatory Powers Bill, dubbed 'Snoopers' Charter' by critics, has already been met with contention from tech giants, Google, Facebook and Microsoft, who have stressed they will not voluntarily co-operate with it

Bringing clarity to data breach legislation, enforcement (Security InfoWatch) Given the lack of laws and established court precedents nationally on issues involving cybersecurity combined with the rise of data breaches in recent years, concerns have been growing among security executives as to what the federal government may do to address the subject

VA Seeks Personal ID Credential Mgmt Software Sources (ExecutiveBiz) The U.S. Department of Veterans Affairs is exploring sources of application or software programs that VA can potentially use to verify credentials of employees and contractors who access its facilities

Verint Systems, Inc. (VRNT — $51.67*) Delivers Good July Results, Lowers Outlook — Maintain Outperform (FBR Capital) Last night, Verint delivered good F2Q16 (July) results, as it beat Street expectations on both the top and bottom lines, showing a nice rebound from the softness seen in F1Q16 (April)

Microsoft Corporation (MSFT — $43.36*) Windows 10 + Cloud Momentum = Brighter Days Ahead for Microsoft — Maintain Outperform (FBR Capital) While market volatility and worries about China/overall growth have been overhangs for Microsoft and its tech brethren over the past month, we believe cloud momentum and a healthy Windows 10 uptake out of the gate is setting the stage for a transformational cloud transition for Satya Nadella and company over the next few years

Security Financings Continue Their Heat Wave With A New $75M Round For Netskope (TechCrunch) Netskope, which sells a technology service protecting businesses' cloud-based software, has joined the ranks of the massively funded (and potentially overfunded?) security technology companies with a new $75 million round of financing

MACH37 Announces New Funding for Virgil Security and Cyph (Dark Reading) Angel Investors CIT, Goel Fund, and NextGen Angels invest in two innovative startups

Father And Son Become Billionaires With Tanium, The Hottest Cybersecurity Startup (Forbes) Fathers and sons everywhere can learn a lesson from David and Orion Hindawi

Federal demand for cybersecurity has firm Tanium booming (The Hill) Cybersecurity firm Tanium has raised $120 million in its third round of funding in just over a year, it said Wednesday, as federal demand for its services continues to grow

Bei Digitalisierung ist das Rennen noch offen (Welt) Trotz der Vormacht von US-Konzernen wie Google haben deutsche Unternehmen aus Sicht von Siemens große Chancen bei der Digitalisierung der Wirtschaft

New Strategy Needed to Address Skills Gap (InfoRiskToday) ISACA's Kadam Details New Program to Develop Security Pros

Internet of Things Security Pioneer, Bastille, Expands Executive Team to Launch its Next Stage of Growth (PRWeb) Additions in leadership bring experience scaling fast growing startups

Boston tech firm snags new hires with cybersecurity experience (Boston Business Journal) Carbonite, the Boston-based cloud backup firm, has made two new executive hires with one skill in common: cybersecurity

Research and Development

A New Design for Cryptography's Black Box (Quanta) A two-year-old cryptographic breakthrough has proven difficult to put into practice. But new advances show how near-perfect computer security might be surprisingly close at hand

New Patent Granted Keypasco in Japan (Keypasco) Keypasco has filed patent applications in all major countries to secure its core software technology, which is the foundation for the Keypasco authentication solution

Unsolved cipher mystery: Spaniard says he's cracked Dead Pigeon code (Naked Security) Back in 2012, a man in the South of England was apparently renovating his chimney when he came across the skeleton of a pigeon

Ashley Madison Hack Creates Ethical Conundrum For Researchers (Huffington Post) Some see it as a "gold mine." Others say it's a minefield

Security Patches, Mitigations, and Software Updates

Fortinet addresses four vulnerabilities in FortiClient (SC Magazine) Fortinet has released a firmware update for its endpoint security solution FortiClient that addresses four vulnerabilities

Internet Systems Consortium (ISC) Releases Security Updates for BIND (US-CERT) ISC has released security updates to address vulnerabilities in BIND. Exploitation of these vulnerabilities may allow a remote attacker to cause a denial-of-service condition

Microsoft Fixes Botched Windows Security Patch Breaking Down Windows Security Apps (Softpedia) The number of botched updates shipped to Microsoft customers across the world has dropped significantly in the last few months, but this doesn't necessarily mean that patches causing headaches have disappeared entirely

Cyber Attacks, Threats, and Vulnerabilities

Anonymous Offshoot GhostSec Launches Another Phase of Attacks Against ISIS (HackRead) Another phase of an online battle against the members of the so-called Islamic State (IS, previously ISIS/ISIL) group has been launched throughout the world by the Anonymous hacktivists

Extreme Makeover, Jihadist Edition: Al-Qaeda's Rebranding Campaign (War on the Rocks) There is no love lost between al-Qaeda and the Islamic State. Al-Qaeda appears to be rolling out a very deliberate PR strategy against its erstwhile affiliate. Can the organization re-brand itself as the jihadi group the world can live with?

New Versions of Carbanak Banking Malware Seen Hitting Targets in U.S. and Europe (Threatpost) New variants of the notorious Carbanak Trojan have surfaced in Europe and the United States, and researchers say that the malware now has its own proprietary communications protocol and the samples seen so far have been digitally signed

RedHat security finds multiple network devices leak 'RSA-CRT' keys (CSO) A researcher has discovered certain implementations of the Transport Layer Security (TLS) protocol used to encrypt web traffic can leak RSA keys

Rapid7 research exposes internet of things security problems (ComputerWeekly) Security flaws exposed on internet-connected baby monitors indicate the poor state of consumer internet of things (IoT) security that businesses should not ignore, warns Rapid7

Adware installer gives itself permission to access Mac users' keychain (Help Net Security) Malwarebytes researcher Adam Thomas has made an interesting discovery: an adware installer created by Genieo, a well-known distributor of unwanted software, is taking advantage of an OS X feature to access information stored in the "Safari Extension List" in the users' keychain

Microsoft Word Intruder Revealed — inside a malware construction kit (Naked Security) Start thinking back, and bring to mind the big "Malware In The Media" stories of the last few years

Malware Author Stamped Code 'For Targeted Attacks Only' (Dark Reading) When the Microsoft Word Intruder Office malware creation kit got too high-profile, the developer changed terms of service, Sophos report says

Wikipedia blocks sockpuppet accounts amid blackmail claims (Naked Security) The Wikimedia Foundation (WMF), host of the online encyclopaedia, Wikipedia, announced on Monday that it has suspended 381 accounts for creating pages deemed to be either overly promotional in nature or featuring spam links

Victims of June OPM Hack Still Haven't Been Notified (Threatpost) Millions of government workers whose information was implicated in this year's expansive Office of Personnel Management hack still haven't been notified, the agency revealed this week

OPM (Mis)Spends $133M on Credit Monitoring (KrebsOnSecurity) The Office of Personnel Management (OPM) has awarded a $133 million contract to a private firm in an effort to provide credit monitoring services for three years to nearly 22 million people who had their Social Security numbers and other sensitive data stolen by cybercriminals. But perhaps the agency should be offering the option to pay for the cost that victims may incur in "freezing" their credit files, a much more effective way of preventing identity theft

Android ransomware uses XMPP chat to call home, claims it's from NSA (Ars Technica) Improved Simplocker lurks disguised as legitimate Flash or video player app

Ransomware Booms as Cyber Attackers' Method of Choice (SIGNAL) Eruption of connected devices, poor cyberhygiene contributed to the perfect storm

Greater Manchester Police website brought down by cyber attack from Lithuanian hacker (Mirror) The brazen hacker tweeted at the force claiming responsibility for the attack, which has been branded 'an act of internet vandalism'

How a simple email error revealed the identities of hundreds of HIV patients (Graham Cluley) Many of us have done it. Rather than emailing a long list of people using the Bcc field, we've used Cc instead

Cyber-security experts criticise data handling processes after HIV clinic email error (SC Magazine) Security experts have criticised the processes that allowed the names and email addresses of hundreds of HIV-positive patients in London to be revealed in an email newsletter

Car hacking risk may be broader than Fiat Chrysler (Money Market) The cybersecurity issues that led Fiat Chrysler Automobiles NV to recall 1.4 million vehicles in August could pose a problem for cars and trucks from other automakers, the top U.S. auto safety regulator said. Mark Rosekind, who heads the National Highway Traffic Safety Administration, said his watchdog agency is trying to determine how many car makers received wireless components from the same company that supplied Fiat Chrysler

Employees put business data at risk by installing gambling apps on their phones (IDG via CSO) Some companies have as many as 35 such apps in their environments, a study found

Lone Rangers of the Underground (Trend Micro) When we speak about online crime, we do so often in terms of "organised crime" or of highly-skilled nation-state sponsored activity

Academia

Loyola University Maryland Receives 2015 Computerworld Data+ Editors' Choice Award for Mastering Data Security With Varonis (Nasdaq) Loyola University Maryland has been named as a 2015 Computerworld Data+ Editors' Choice Award honoree for its use of Varonis (NASDAQ:VRNS), the leading provider of software solutions for unstructured, human-generated enterprise data

Tech joins cyber battle (El Defensor Chieftain) Very few computer systems have proven completely safe from hackers around the globe in recent years

Cybersecurity workshop draws students of various stripes from across state (Daily Lobo) Students, law enforcement officers, military personnel and others are congregating at the Anderson School of Management this week for a seminar about cybersecurity fundamentals, in hopes that they can apply it to their education or careers

Emerging field has huge potential for college and university curricula (eCampusNews) Data analytics is gaining traction as a new career option for college graduates. Here's how one institution is grabbing the opportunity and helping students prepare for jobs in the field

New Marine cyber-security chair to spearhead PME overhaul (Marine Corps Times) A new cyber-security chair at Marine Corps University will oversee the integration of cyber studies into nearly every facet of professional military education for Marines, from lance corporals through senior commanders

Litigation, Investigation, and Enforcement

Cybercrime by wire fraud — what's covered? (CSO) Think your cyber liability insurance will protect loss of funds? Read the fine print

Judge wants to push ahead with challenge to NSA's bulk collection of Americans' phone records (US News and World Report) A federal judge said Wednesday he plans to push ahead with a challenge to the National Security Agency's bulk collection of telephone data on hundreds of millions of Americans, even as the program is set to expire at the end of November

Journalists arrested on terrorism charges in Turkey for using crypto software (Ars Technica) Part of much wider trend to demonise encryption, perhaps with a view to banning it

Google accused of rigging search results by India's competition cops (Naked Security) In the competitive playground that is search, Google is the schoolyard bully, 30 companies told the Competition Commission of India (CCI) in response to its recent inquiries

Sony Entertainment reaches settlement with ex-workers affected by 2014 cyber-attack (Raw Story) Sony Pictures Entertainment Inc has reached a settlement agreement with nine former employees who had filed a lawsuit claiming that their personal data was stolen in a 2014 hacking tied to the studio's release of a comedy film set in North Korea, "The Interview"

Staffer who worked on Clinton's private e-mail server faces subpoena (Washington Post) A former State Department staffer who worked on Hillary Rodham Clinton?s private e-mail server tried this week to fend off a subpoena to testify before Congress, saying he would assert his constitutional right not to answer questions to avoid incriminating himself

Report: VA lost 10,000 health applications (Military Times) The Veterans Affairs Department's system for tracking veterans' applications for health care is so unreliable that it's impossible for VA officials to know how many former troops still want care — or even if they are still alive, according to a new report

Reporters face subpoenas in case over CIA head's resignation (AP via Yahoo! News) A couple suing over leaks in the federal investigation that led to CIA Director David Petraeus' resignation intend to subpoena at least two journalists in an attempt to compel testimony about their sources

Man arrested for parodying mayor on Twitter gets $125K in civil lawsuit (Ars Technica) Mayor concerned about being portrayed as drug abuser who hangs with prostitutes

Online drug dealer betrayed by poor opsec pleads guilty to importing molly (Ars Technica) Massachusetts man bought methylone from a sketchy Chinese online vendor

14-year-old added to police database for using Snapchat to send naked selfie (Ars Technica) Criminalized by stupid laws, had he been older, he would have been seen as the victim

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

SCADA Nexus 2015 (Houston, Texas, USA, September 2 - 4, 2015) SCADA Nexus is an international annual event for ICS and SCADA security professionals and executives to focus on world-wide security concerns. The event is located in Houston, Texas each year at the Hilton Americas Convention Center. Our 2015 event is from September 2-4 with extended training from September 7-11.

SIN 2015 (Sochi, Russia, September 8 - 10, 2015) The 8th International Conference on Security of Information and Networks (SIN 2015) provides an international forum for presentation of research and applications of security in information and networks. SIN 2015 features contributed as well as invited papers, special sessions, workshops, and tutorials on theory and practice. It seeks to convene a high-quality, well-attended, and up-to-date conference on scientific and technical issues of security in information, networks, and systems

NSPW (New Security Paradigms Workshop) (Twente, Netherlands, September 8 - 11, 2015) Although NSPW is more of a workshop than a conference, it has earned its right to be included in this list. Since 1992, NSPW has been offering a unique forum for cyber security specialists involved in researching high-risk, high-opportunity paradigms to present their ideas. The discussions always challenge the current limitations of information security tools and technology, while disputing ng-held beliefs or the very foundations of security. You're bound to get fresh, new ideas from attending this workshop

Global Cyberspace Cooperation Summit VI (New York, New York, USA, September 9 - 10, 2015) An invitation-only event, this meeting of international actors aims to coordinate and consolidate progress, showcase results and promote collective action. The annual cyber summits provide a crucial forum for building international, private-public action to foster international cooperation in cyberspace. Breakthrough groups, aligned with the initiative's objectives of economic and political development, digital security and stability, and sound governance and management, carry the program forward

Intelligence and National Security Summit (Washington, DC, USA, September 9 - 10, 2015) AFCEA International (AFCEA) and the Intelligence and National Security Alliance (INSA) are pleased to host the second Intelligence and National Security Summit to provide the platform for this essential discussion. This two-day, unclassified Summit will feature five plenary sessions with top federal agency leaders and policymakers sharing their assessments and priorities for U.S. national, defense and homeland security intelligence. In addition, thought leaders from government, industry and academia will explore emerging issues and solutions related to intelligence policy, cyber threats, and technology and innovation over nine breakout sessions

Cybersecurity Innovation Forum (Washington, DC, USA, September 9 - 11, 2015) The 2015 Cybersecurity Innovation Forum is a three-day event hosted by the National Institute of Standards and Technology, and planned with the National Security Agency, and the Department of Homeland Security. This event brings government and industry together to focus on current, emerging, and future challenges, technologies, projects, solutions, and research in trusted computing, security automation, and information sharing

2nd Annual Senior Executive Cyber Security Conference (Baltimore, Maryland, USA, September 10, 2015) The one-day symposium will examine the potential advantages and pitfalls of an information-sharing strategy from the technological, business and regulatory perspectives

Cyber 6.0 (Laurel, Maryland, USA, June 17, 2015) The mission of the Cyber Conference is to provide a forum for small and mid-sized businesses in Howard County and the region to access industry and government leaders with current information on cybersecurity that will improve their market position, enhance their corporate security policies and infrastructure, identify potential business opportunities, and provide a take away of information and contacts for follow-up that assists businesses in understanding the role they play in national cybersecurity and how they can address those challenges. All businesses have a role to play in protecting the national security of our infrastructure. While locally sponsored and organized, the conference has national reach

BSides Augusta 2015 (Augusta, Georgia, USA, September 12, 2015) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening

SANS Institute: Information Security Training (Las Vegas, Nevada, USA, September 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel

Gulf Cooperation Council Cyber Security Summit (Abu Dhabi, United Arab Emirates, September 13 - 15, 2015) The GCC Cyber Security Summit will bring together regional and international thought leaders and decision-makers to examine one of the most vital threats to the region's future well-being: cyber-attack. Penetration of national and company security, criminal fraud and identity theft are now big business worldwide among a shadowy fraternity that is only growing in power and size. Recent incidents with film studios, healthcare providers and global banks continue to resonate in cabinet offices and boardrooms everywhere

Hacker Halted 2015 (Atlanta, Georgia, USA, September 13 - 18, 2015) EC-Council Foundation's flagship information security conference, Hacker Halted, will unite some of the greatest minds in information security, as industry experts address the latest threats and vulnerabilities plaguing the virtual world. Hacker Halted will also feature several highly technical and advanced workshops that cover the most current security topics and will include EC-Council's most sought after certification classes. Hacker Halted runs concurrently with the invitation-only Global CSO Forum

EnergySec 11th Annual Security & Compliance Summit (Washington, DC, USA, September 14 - 16, 2015) For more than 10 years the EnergySec Security Summit has been the premier gathering for stakeholders in the energy sector focused on physical and cyber security. Our summits give each attendee a rare opportunity to mingle with asset owners, government agencies, researchers, consultants, vendors and academia under one roof

Fraud Summit San Francisco (San Francisco, California, USA, September 15, 2015) ISMG's Fraud Summit is a one-day event focused exclusively on the top fraud trends impacting organizations and the mitigation strategies to overcome those challenges. Among the areas to be discussed are the fraud ecosystem, trends in consumer fraud awareness (what's working and what's not), and threat intelligence

Borderless Cyber 2015 (Washington, DC, USA, September 15 - 16, 2015) OASIS, in collaboration with The World Bank, will bring together public and private sector security professionals from around the world to evaluate, debate, and collaborate on cyber security best practices and tools. Hosted at The World Bank headquarters in Washington, DC, the conference will generate dialogue across government and business, combining high-profile guest speakers, interactive roundtable sessions, and moderated debates. Additional networking events will complement each day's agenda, offering opportunities for real-time collaboration

Detroit Secure World (Detroit, Michigan, USA, September 16 - 17, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. Risk management and enterprise cyber defense strategies figure among the agends

National Insider Threat Special Interest Group Meeting (Laurel, Maryland, USA, July 16, 2015) Topics to be discussed at the meeting; Insider Threat Program Development & Implementation, Behavioral Indicators Of Concern, Legal Considerations When Developing & Managing An Insider Threat Program. There is no cost to attend this meeting

6th Annual Billington Cybersecurity Summit (Washington, DC, USA, September 17, 2015) Join key leaders and decision makers from government, military and the private sector at this one-day intensive networking event as participants focus on the next generation of solutions to ensure this nation's cybersecurity

Cyber Security Summit: New York (New York, New York, USA, September 18, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates at the Cyber Security Summit are prequalified based on their willingness to meet with Solution Providers and proven ability to purchase products and services

Data Breach Investigation Summit (Dallas, Texas, USA, September 21 - 26, 2015) Data Breaches are occurring at an alarming rate and increasing in their scope, frequency and impact and they don't discriminate by industry, geography or organization size. When a breach occurs, organizations, agencies and individuals need to learn how to more effectively, identify/detect that the breach has occurred, respond to the breach in an effective and timely manner, investigate the breach, and prevent/defend the organization from future breaches

St. Louis SecureWorld 2015 (St. Louis, Missouri, USA, September 22 - 23, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. The security implications of the Internet-of-things will be among the topics discussed

OWASP APPSECUSA (San Francisco, California, USA, September 22 - 25, 2015) The premier gathering of developers, security experts and technologists to discuss cutting edge approaches to secure web applications

SAT 2015: 18th International Conference on Theory and Applications of Satisfiability Testing (Austin, Texas, USA, September 24 - 27, 2015) The International Conference on Theory and Applications of Satisfiability Testing (SAT) is the premier annual meeting for researchers focusing on the theory and applications of the propositional satisfiability problem, broadly construed. Aside from plain propositional satisfiability, the scope of the meeting includes Boolean optimization (including MaxSAT and Pseudo-Boolean (PB) constraints), Quantified Boolean Formulas (QBF), Satisfiability Modulo Theories (SMT), and Constraint Programming (CP) for problems with clear connections to Boolean-level reasoning

CSS (International Conference on Cryptography and Security Systems) (Warsaw, Poland, September 25 - 27, 2015) After three years' break, CSS is returning in 2017 with another great look at the evolution of cryptography and its role for the cyber security industry. This event is focused on presenting original and unpublished research and developing activities related to all aspects of cryptography and network security. From theory to practice, this conference might be right up your alley if you're interested in cryptography

Business Insurance Cyber Risk Summit 2015 (San Francisco, California, USA, September 27 - 28, 2015) The Business Insurance Cyber Risk Summit provides risk management professionals and chief information security officers with the practical information and tools needed to combat the latest cyber risks that threaten their organizations. The day-long conference will explore cyber exposures, regulations, governance and insurance coverage. Risk managers and CISOs will learn how to adapt proven risk management strategies to their current cybersecurity environments, how to better communicate with their information security teams, and how to effectively convey risks, exposures and coverage options to their corporate boards and the C suite

ASIS International (Anaheim, California, USA, September 28 - October 1, 2015) The ASIS Annual Seminar and Exhibits boasts of being one of the world's most influential events for security professionals. Its mission is to provide industry-leading education, countless business connections, and the latest product and service innovations from 600+ exhibitors from the information security sector

CYBERSEC European Cybersecurity Forum (Kraków, Poland, September 28 - 29, 2015) The CYBERSEC forum is the first of its kind in Poland and one of just a few regular public policy conferences in Europe devoted to the strategic issues of cyberspace and cybersecurity. The goal of CYBERSEC conference is the formulation of practical recommendations that aim to increase resilience to cyber threats within specific economic sectors, countries, and the EU as a whole

(ISC)² Security Congress (Anaheim, California, USA, September 28 - October 1, 2015) Proudly colocated for the fifth year in a row, (ISC)² Security Congress 2015 and ASIS International 61st Annual Seminar and Exhibits (ASIS 2015) expect more than 19,000 professionals worldwide from both the information security and operational security disciplines to join together September 28 - October 1 in Anaheim, CA. Offering more than 80 education sessions along with networking and career advancement opportunities, (ISC)² Security Congress 2015 will include topics on best practices, current and emerging issues, and solutions to challenges

Cloud Security Alliance Congress at P.S.R. (Las Vegas, Nevada, USA, September 28 - October 1, 2015) The industry's premier gathering for IT security professionals and executives who must further educate themselves on the rapidly evolving subject of cloud security. Offering best practices and practical solutions for remaining secure in the cloud, CSA Congresses also expose attendees to industry-specific case studies. P.S.R. brings together two industry-leading events — CSA Congress US and the IAPP Privacy Academy — to provide attendees with more than double the education and networking opportunities with leading innovators and practitioners in technology, security and privacy for the price of a single conference. Among the keynote presenters are Arthur W. Coviello, Jr., Executive Chairman (Retired), The Security Division of EMC, RSA, Brian Krebs, Investigative Reporter, Cybersecurity Expert, Travis LeBlanc, Chief of Enforcement, Federal Communications Commission, Lydia Parnes, Partner, Wilson Sonsini Goodrich & Rosati, Jessica Rich, Director, Bureau of Consumer Protection, Federal Trade Commission

Fraud Summit Toronto (Toronto, Ontario, Canada, September 17, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology solutions designed to stop them.

Threat Intelligence Summit 2015 (ChampionsGate, Florida, USA, September 29 - 30, 2015) The threat landscape is getting bigger and more complex, the tools more plentiful, the amount of digital information increasingly massive, and the skills needed to navigate this terrain seem to multiply continuously. The key to success in defending against threats — actionable threat intelligence. Threat Intelligence Summit 2015 will address best practices for combating threats in your organization

hardwear.io: Hardware Security Conference and Training (The Hague, Netherlands, September 29 - October 2, 2015) Do you trust your hardware? Learn from experts about backdoors, exploits, trust, assurance and attacks on hardware equipment, firmware and related protocols

VB2015 (Prague, Czech Republic, September 30 - October 2, 2015) The VB2015 programme includes 38 papers on a wide range of security topics. As in previous years, the presentations will run in two parallel streams and the programme includes both technical and less technical presentations. Just a small selection of the many highlights includes: "Attack on the drones: security vulnerabilities of unmanned aerial vehicles" (Oleg Petrovsky), "How malware eats cookies" (Zhaoyan Xu, Wei Xu), "The Unbearable Lightness of APTing" (Yaniv Balmas, Ron Davidson, Shahar Tal), "The Kobayashi Maru dilemma" (Morton Swimmer, Nick FitzGerald, Andrew Lee), "DDoS trojan: a malicious concept that conquered the ELF format" (Peter Kalnai, Jaromir Horejsi), "POS fraud: trends and counter-actions to mass fraud" (Ken Dunham), and "The elephant in the room" (Marion Marschalek). This year's conference will include two keynote speakers — one at the opening of the conference and one at the very end. The programme will also include a number of added extras

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.